European banks lobby Commission to push ahead with screen scraping ban

Screen-scraping is hardly the technology of choice for a third party, it's a right pain.  But it's better than a bad API or an API that doesn't exist. Screen-scraping at least sets the low bar.  Why outlaw it ?  Only anti-competitive reasons I can see.

Let fintech allow banks to screen scrape fintech apps. Then banks won't protest fintech's demand to screen scrape banking apps. On a side note, who is responsible for leakage / loss of customer data during a screen scraped session used by a third party (vs. customer)? In fact, is it even technologically possible to determine whether a screen-scraped session is used by first party (i.e. customer) or third party (i.e. fintech / bank)?

The objective of PSD2 is to promote competition and transparency in financial services across the EU, following the guiding principles of business model and technology neutrality and promoting a level playing field.

It would be the first time in history that competition is promoted by banning the way new entrants in a market do business. It would also not be business and technology neutral to ban a specific technology. In addition according to European law a level 2 legal text cannot ammend a level 1 text, which is what the last EBA draft was doing.

@ketharam according to PSD2 TPPs have to identify themselves towards the banks with an electronic certificate. It is a piece of cake for banks to setup mutual certificate authentication. Regarding identification of a screen scrapping session, it is relatively easy if it is done in large numbers.

@Russell I agree good APIs are better than screen scrapping. The only way to have good APIs is via competition with screen scrapping, otherwise the incentive is not there.

@ArturoGonzálezMacDowell:

Very well then, fintech should setup "mutual certificate authentication" for banks, allow banks to screen scrape fintech apps, show banks how easy it is to identify banks accessing each screen-scraped session. Since fintech prides itself on agility vis-a-vis banks, fintech should be able to do all this in no time, thereby not threatening PSD2 timescales.

Banks are already screen scraping themselves and others - heavily! If the RTS is amended accordingly, they will be able to continue, including PSD2-licensed fintechs that qualify as an ASPSP.

This video is not jaunty, but scandalous. Portraying soon-to-be-licensed fintechs as cybercriminals is a disgrace. And it is confusing screen scraping with impersonation, and actually calling to ban that, which no one is contesting. That is beating a dead horse.

What they forget to say is that it is the banks themselves that do not want to allow fintechs to identify themselves when using their customer-facing online banking interface, because that is the only way they can refuse their access - according to the latest RTS draft.

This is what really has to change to stop impersonation and limit Direct Access to licensed, supervised and audited fintechs only - and keep the criminals away!

Many banks in Europe already use a 2-factor authentication and if not, need to have it implemented when RTS comes into force. This makes screen scraping a very (end-)user unfriendly exercise. It is not possible anymore to leave a userid/password with TPP as 2FA requires an action from the end-user with a specific device that only the end-user has access to. This means that each time a payment is initiated or account info is retrieved through screen scraping an action by the end user is required. And this is different per bank. I can't imagine why Fintechs want this and how this is going to differentiate them from the banks.

The (final draft) RTS states that the APIs of the banks need to match the functionality and service levels that the banks offer to the end user via their own channels. With this the APIs should at least give Fintechs the same level of access as screen scraping does. This makes me wonder why Fintechs believe that they are better of with screen scraping than with APIs.

The question may be raised what authority will be assigned to take what measures if a bank does not meet that RTS rule. Possibly this is defined in the transition of PSD2 into the local jurisdiction of the concerning countries. The discussion could be closed if everything was not left that much in the open, but the APIs that banks must implement are clearly specified, as is the case with a comparable initiative in India, UPI.